When an industry analyst gives a talk on the ‘State of Data Security,’ it’s hard to expect sunshine.

At the Gartner IT Symposium in Toronto on Tuesday, David Mahdi saw a lot of overcast.

“We still need a lot of work, the industry still needs [to spread] awareness,” he said in a pre-conference interview.

“The biggest thing that needs to happen is more broad board awareness of the concepts of data security governance … We need business units to understand these things (data) are assets and liabilities, and they do have a responsibility” to help protect them.

He added that the responsibility of infosec leaders is to spread that message to business units: Technology isn’t going to solve the problems of cyber security. It will be solved by people across the enterprise.

Mahdi is senior research director in Gartner Canada’s systems, security and risk group.

His main message is aimed at CISOs: “Too many times people start at the product stage first” to meet cyber threats. “And that”s one of the big reasons why we’ve been failing as a [security] community.”

For example, if during a security audit a problem is found, infosec leaders often follow the auditor’s recommendation to solve it with technology, with the blessing of management.

That quickly meets compliance. But, Mahdi added, it doesn’t meet the problem of a business unit later signing up for a cloud service without the knowledge of IT. Why? Because the company didn’t have a comprehensive governance strategy.

“If the CISO is successful the CMO will say, ‘Hey, before we subscribe to this cloud platform for marketing I’ll talk to the CISO,'” Mahdi said.

Which is why he says before buying technology the CISO has to make the organization understand what data it has, what compliance regulations have to be followed, what business unit are linked to that data.

Only after understanding the business units’ needs and working with them on how various solutions should the CISO start spending.

The only way a CISO can get insight into an organization’s practices is to work with it, he emphasized.

“The CISO can’t just push policies down on everybody. There has to be a partnership between them, but there also has to be a continuous flow of requirements gathering and guidance and recommendations. The CISO needs to be an advisor, needs to provide guidance and needs to provide options to business units.”

In addition to first making sure the organization has a business, governance, compliance and IT strategy, the infosec leader has to understand its risk tolerance, Mahdi said. These should be more than a sentence, he added. He favours the creation of risk appetite statements for each project (for example, “if we create this app to start a loyalty program we need to open up our risk appetite because it will mean holding on to more personal data. It will also mean spending more to protect the data.”)

“Have risk management leaders construct better, more business-centric statements that aren’t technical that highlight the risks, and possible business outcomes if the organization is successful,” Mahdi said.

Among the advantages is the business unit better understand the cyber risks.

“Data security today is still based on gut reaction,” Mahdi said: “You have a breach, you throw technology at it. You fail an audit, you throw technology at it. The vast majority of organizations are in that mode.”

Getting out of that mindset, will hopefully lower an organization’s risk. And that might bring in more sunshine.

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomedia [@] gmail.com